[Firehol-support] How to run firehol from within a container?
Phil Whineray
phil at firehol.org
Mon Jan 28 07:15:29 GMT 2019
On Sun, Jan 27, 2019 at 05:28:39PM +0100, Wojtek Swiatek wrote:
> Hello everyone
>
> I have a systemd-nspawn container which will be the landing area of a VPN.
> It will therefore, in addition to the existing host0 interface, have a tun0
> one.
> I was planning to use firehol to orchestrate the traffic.
>
> Unfortunately, upon starting it with a basic configuration I immediately
> get an error message:
>
> ----
> root at openvpn ~# firehol try
>
> WARNING:
> --------
> FireHOL cannot find your current kernel configuration.
> Please, either compile your kernel with /proc/config,
> or make sure there is a valid kernel config in:
> /usr/src/linux/.config
>
> Because of this, FireHOL will simply attempt to load
> all kernel modules for the services used, without
> being able to detect failures.
>
> FireHOL: Saving active firewall to a temporary file... Failed to list table
> names in /proc/net/ip_tables_names: Permission denied
> ----
>
>
> I can see and set iptable entries so I hope that this is something which
> is non-blocking?
>
> Thanks in advance fo any ideas!
/proc/net/ip_tables_names is used by firehol, so I'm afraid this may
block you unless the permission to read the file is solved.
This happens when you use an unprivileged container i.e. a user namespace;
the file is not mapped to anything that can read it within the namespace.
Although iptables works, related commands that need to query the state
such as iptables-save and iptables-restore do not.
>From some Kernel after 4.3 a patch was included in the kernel which
means if the namespaces are used in a particular order then the file
will be readable. This won't happen with the most obvious way of using
namespaces, i.e. to create them simultaneously, and I don't know if
any/all containerisation software has been updated.
A script to "do something useful" including a workaround for the
non-readable file that I used to set up testing in an unprivileged
namespace is here [1]. Maybe it will help a bit, but if I recall
various other problems arise unless you already have the required
tables, matchers etc. in use beforehand: because you are not really
root you do not have permission to autoload the modules.
Hope that helps
Phil
1: https://raw.githubusercontent.com/firehol/firehol/master/tests/tools/newns
More information about the Firehol-support
mailing list